Speculations on Joint Civil/Criminal Nature of Oracle's Allegations Against SAP

Portfolio Media is reporting that a lawsuit filed by business software maker Oracle Corp. accusing German competitor SAP AG of wide-scale corporate theft could prompt criminal and civil actions against the company or “rogue” individuals acting on their own behalf. Based on Oracle’s 43-page complaint alleging that SAP illegally accessed its computers to steal thousands of Oracle software products and proprietary materials, SAP could face not only civil liability, but also criminal liability, according to analysts on Tuesday.

“It will be interesting to see whether the facts – if proved true – show this conduct was perpetuated by rogue individuals in SAP or individuals in management of the company. The complaint suggests there may be corporate liability in addition to personal liability,” said Scott Christie, a former U.S. prosecutor who investigated computer crimes. Rogue individuals, he explained, act on their own without the authority of the company.

Oracle’s suit was lodged in the U.S. District Court for the Northern District of California last week after Oracle allegedly learned that SAP was illegally accessing and stealing from Oracle’s computerized customer support systems. Christie, who is an IP and IT partner at McCarter & English LLP, said the complaint claims that the conduct has been going on for a substantial period of time, involves proprietary information and has led to significant losses for Oracle – the types of allegations that often peak the interest of federal prosecutors.

“The potential for criminal corporate liability exists and just depends upon what evidence Oracle shows,” he said. Christie added that a complaint showing evidence of illegal conduct is all federal prosecutors in San Francisco or Texas need to jump-start their own investigation. Scot Braunzell, head of cyber security for consulting firm Risk Control Strategies, agreed that the allegations could lead to a criminal investigation.“Companies don’t bring these types of complaints unless they have empirical forensic data. From what I’ve seen, it looks like Oracle has this legal information, which must be gathered in a strict manner to become a criminal case,” Braunzell said.

In the latest skirmish between the bitter rivals, Oracle accused SAP of gaining “repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle’s proprietary, password-protected customer support Web site.” The company said its German competitor had compiled an illegal library of Oracle’s copyrighted software code and other materials, creating a “storehouse of stolen Oracle intellectual property” that allowed SAP to offer cut-rate support services for customers who use Oracle software. SAP also used the copied software to attempt to lure customers to SAP’s applications software platform and away from Oracle’s, the complaint said. The two companies are staunch rivals in the multibillion-dollar market for business applications software.

The complaint raised the question of why SAP would risk engaging in this alleged conduct.“You don’t go and attack your biggest competitor. SAP is a market leader, and from what I can see from the complaint, it was not gathering enough IP to gain any type of large market advantage over Oracle. Why would SAP do this in the first place?" Braunzell asked. He said rogue employees may be involved who were not acting under any management guidelines, but he also brought up the issue of access control. In late November, Oracle noticed unusually heavy download activity on its systems that contrasted with the authorized, limited access to which its customers were entitled. Oracle claimed that SAP hijacked log-in credentials with expired support rights and copied thousands of individual software and support materials.“If the log-ins were expired, why were individuals allowed to log in? A lot has to come out from a forensic standpoint,” Braunzell said.

Among the claims made against SAP were violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, unfair competition, intentional and negligent interference with prospective economic advantage and civil conspiracy. Oracle sought to stop and prevent SAP from using illegally acquired materials, as well as damages and attorneys' fees, according to the lawsuit. In response to the suit, SAP said it intended to aggressively fight the corporate theft allegations.